There is pervasive fear of identity theft. Victims spend an
extraordinary amount of time and money recovering from it. The government
is doing something about it, but businesses may not be pleased to hear that
the government's latest action is another unfunded mandate.

New rules concerning identity theft prevention at financial companies go
into effect on Friday
May 1, 2009, but for most organizations, complying with the FTC's Red Flags Rule could be as
simple as writing down rules and procedures already in place and having them
certified by the Board.

The rules are about procedures, not about data security, said Tiffany
George, attorney for the division of privacy and identity protection at the
FTC. She spoke on Tuesday at the FTC's workshop for businesses held on the campus of
Fordham University in New York City. "The Red Flags Rule covers what to do
when, despite our best efforts, thieves steal data," she said.

As new regulations go, the FTC's Red Flags Rule will be less painful than many other recently enacted rules. For example, while Sarbanes-Oxley is considered a burden to many public companies, requiring several full-time
staff, the Red Flags Rule can likely be handled by legal or compliance staff
already in place.

It merely requires that companies have reasonable written policies in
place, that they be certified by the Board, and that they be reviewed
regularly.

Few changes are required because the law is
so flexible. It requires "creditors" to monitor suspicious activity on
"covered accounts."

"Creditors" are any company that has accounts that can be accessed
repeatedly -- a phone company is a creditor but a magazine subscriber with a
term-limited subscription is not.

"Covered accounts" are those designed to permit multiple transactions.

"Creditors" may have some accounts that are covered and some that are
not.

Businesses need to know what to look for  they need to define the red
flags that give the rule its name  and to decide how to look for them and
what to do if red flags are found.

If you're not sure what your red flags should be, there are 26 examples in Supplement A of Appendix J of the act. If you don't want to look there, you can find them on pages
19-21 of the FTC's much shorter and much easier to read guide for
businesses.

The one issue businesses are likely to raise concerning the Red Flags
Rule is that so many businesses are deemed "creditors." Anyone who handles
loans or provides accounts that can be accessed is considered a financial
firm under the rules because the rule follows guidelines set by an earlier
law called the Equal Credit Opportunity Act, or ECOA, that defines creditors broadly.

The definition includes municipal utilities, hospitals, educational
institutions and other businesses that don't see themselves as part of the
financial industry.

"We feel like the dolphin caught in the tuna net, and it's such a big net
that it may have more dolphin than tuna in it," said Seth Gilbertson,
assistant counsel to SUNY, the college
system of the state of New York.